When you start the download of a file, your browser cannot simply send the file’s key to the server for it to decrypt the download on your behalf – doing so would completely eviscerate zero-knowledge encryption. This JavaScript code is cryptographically sensitive and therefore must be public. When opening a MEGA file or folder link, the browser initially doesn’t receive any file or folder data – instead, it downloads a bunch of JavaScript code that then fetches the file or folder metadata and uses the decryption key from the anchor portion of the URL to decrypt it and display relevant file and folder information. Decrypt the downloaded file data in the browser.And that’s very handy when it comes to devising a URL format containing information that absolutely needs to stay on the client side: The key is included in the URL as a pseudo-anchor link, separated by a # character. Since the web server does not need to know about this, browsers do not send the anchor portion of a URL when requesting a page. Their original purpose was to link to locations within a page – the browser would automatically scroll to the page’s matching anchor point. And, how can an encrypted file be downloaded from a server that doesn’t have its decryption key? Here is how it works:Īnchor links are appended to a URL separated by a # symbol. In a browser context, two difficulties arise: How is the encryption key prevented from being sent to the MEGA servers when opening the link? If it was part of the HTTP request, zero-knowledge encryption would be compromised. This important cornerstone of our philosophy also applies to file and folder links. This means that all encryption and decryption is performed by our users, on their devices, with keys that only they have access to. MEGA is a zero-knowledge encryption cloud storage service.